SECURITY UPDATES

ZF2015-01: Session validators were not run if set before session start.
Essentially, the validators were writing to the $_SESSION superglobal before
session start, which meant the data was overwritten once the session began.
This meant on subsequent calls, the validators had no data to compare against,
making the sessions automatically valid. We have provided patches to ensure
that validators are run only after the session has begun, which will ensure
they validate sessions correctly going forward. If you use Zend\Session
validators, we recommend upgrading immediately.

2.3.3 (2014-09-17)

SECURITY UPDATES

ZF2014-05: Due to an issue that existed in PHP's LDAP extension, it is
possible to perform an unauthenticated simple bind against a LDAP server by
using a null byte for the password, regardless of whether or not the user
normally requires a password. We have provided a patch in order to protect
users of unpatched PHP versions (PHP 5.5 <= 5.5.11, PHP 5.4 <= 5.4.27, all
versions of PHP 5.3 and below). If you use Zend\Ldap and are on an affected
version of PHP, we recommend upgrading immediately.

ZF2014-06: A potential SQL injection vector existed when using a SQL
Server adapter to manually quote values due to the fact that it was not
escaping null bytes. Code was added to ensure null bytes are escaped, and
thus mitigate the SQLi vector. We do not recommend manually quoting values,
but if you do, and use the SQL Server adapter without PDO, we recommend
upgrading immediately.

SECURITY UPDATES

ZF2014-03: Potential XSS vector in multiple view helpers due to
inappropriate HTML attribute escaping. Many view helpers were using the
escapeHtml() view helper in order to escape HTML attributes. This release
patches them to use the escapeHtmlAttr() view helper in these situations.
If you use form or navigation view helpers, or "HTML element" view helpers
(such as gravatar(), htmlFlash(), htmlPage(), or htmlQuicktime()), we
recommend upgrading immediately.

2.2.9 (2015-01-14)

SECURITY UPDATES

ZF2015-01: Session validators were not run if set before session start.
Essentially, the validators were writing to the $_SESSION superglobal before
session start, which meant the data was overwritten once the session began.
This meant on subsequent calls, the validators had no data to compare against,
making the sessions automatically valid. We have provided patches to ensure
that validators are run only after the session has begun, which will ensure
they validate sessions correctly going forward. If you use Zend\Session
validators, we recommend upgrading immediately.

2.2.8 (2014-09-17)

SECURITY UPDATES

ZF2014-05: Due to an issue that existed in PHP's LDAP extension, it is
possible to perform an unauthenticated simple bind against a LDAP server by
using a null byte for the password, regardless of whether or not the user
normally requires a password. We have provided a patch in order to protect
users of unpatched PHP versions (PHP 5.5 <= 5.5.11, PHP 5.4 <= 5.4.27, all
versions of PHP 5.3 and below). If you use Zend\Ldap and are on an affected
version of PHP, we recommend upgrading immediately.

ZF2014-06: A potential SQL injection vector existed when using a SQL
Server adapter to manually quote values due to the fact that it was not
escaping null bytes. Code was added to ensure null bytes are escaped, and
thus mitigate the SQLi vector. We do not recommend manually quoting values,
but if you do, and use the SQL Server adapter without PDO, we recommend
upgrading immediately.

2.2.7 (2014-04-15)

SECURITY UPDATES

ZF2014-03: Potential XSS vector in multiple view helpers due to
inappropriate HTML attribute escaping. Many view helpers were using the
escapeHtml() view helper in order to escape HTML attributes. This release
patches them to use the escapeHtmlAttr() view helper in these situations.
If you use form or navigation view helpers, or "HTML element" view helpers
(such as gravatar(), htmlFlash(), htmlPage(), or htmlQuicktime()), we
recommend upgrading immediately.

SECURITY UPDATES

ZF2014-01: Potential XXE/XEE attacks using PHP functions:
simplexml_load_*, DOMDocument::loadXML, and xml_parse. A new component,
ZendXml, was introduced to mitigate XML eXternal Entity and XML Entity
Expansion vectors that are present in older versions of libxml2 and/or PHP.
Zend\Json\Json::fromXml() and Zend\XmlRpc's Response and Fault classes
were potentially vulnerable to these attacks. If you use either of these
components, we recommend upgrading immediately.

SECURITY UPDATES

An issue with Zend\Http\PhpEnvironment\RemoteAddress was reported in
#5374. Essentially, the class
was not checking if $_SERVER['REMOTE_ADDR'] was one of the trusted proxies
configured, and as a result, getIpAddressFromProxy() could return an untrusted
IP address.

The class was updated to check if $_SERVER['REMOTE_ADDR'] is in the list of
trusted proxies, and, if so, will return that value immediately before
consulting the values in the X-Forwarded-For header.

If you use the RemoteAddrZend\Session validator, and are configuring
trusted proxies, we recommend updating to 2.2.5 or later immediately.

Potential Breakage

#5343 removed the
DateTimeFormatter filter from DateTime form elements. This was done
due to the fact that it led to unexpected behavior when non-date inputs were
provided. However, since the DateTime element already incorporates a
DateValidator that accepts a date format, validation can still work as
expected.

Potential Breakage

Zend\Validator was altered to remove the dependency on Zend\I18n by creating
Segregated Interfaces.
The practical upshot is that Zend\Validator\AbstractValidator no longer
implements Zend\I18n\Translator\TranslatorAwareInterface, but rather
Zend\Validator\Translator\TranslatorAwareInterface, which now typehints on
Zend\Validator\Translator\TranslatorInterface instead of
Zend\I18n\Translator\Translator. This means you cannot pass a
Zend\I18n\Translator\Translator instance directly to a validator any longer.

However, we have included a new class, Zend\Mvc\I18n\Translator, that extends
the i18n Translator class and implements the Validator TranslatorInterface. This
class may be used as a drop-in replacement. In fact, by default,
Zend\Validator\ValidatorPluginManager is now using the MvcTranslator
service, which utilizes this new class, making the change seamless for most
users.

The above change will only affect you if you were manually injecting a
translator instance into your validators.

2.1.6 (06 Mar 2014):

SECURITY UPDATES

ZF2014-01: Potential XXE/XEE attacks using PHP functions:
simplexml_load_*, DOMDocument::loadXML, and xml_parse. A new component,
ZendXml, was introduced to mitigate XML eXternal Entity and XML Entity
Expansion vectors that are present in older versions of libxml2 and/or PHP.
Zend\Json\Json::fromXml() and Zend\XmlRpc's Response and Fault classes
were potentially vulnerable to these attacks. If you use either of these
components, we recommend upgrading immediately.

Potential Breakage

Includes a fix to the classes Zend\Filter\Encrypt
and Zend\Filter\Decrypt which may pose a small break for end-users. Each
requires an encryption key be passed to either the constructor or the
setKey() method now; this was done to improve the security of each
class.

Zend\Session includes a new Zend\Session\Storage\SessionArrayStorage
class, which acts as a direct proxy to the $_SESSION superglobal. The
SessionManager class now uses this new storage class by default, in
order to fix an error that occurs when directly manipulating nested
arrays of $_SESSION in third-party code. For most users, the change will
be seamless. Those affected will be those (a) directly accessing the
storage instance, and (b) using object notation to access session
members:

Potential Breakage

Includes a fix to the classes Zend\Filter\Encrypt
and Zend\Filter\Decrypt which may pose a small break for end-users. Each
requires an encryption key be passed to either the constructor or the
setKey() method now; this was done to improve the security of each
class.